;Find GetProcAddress function name (the ordinal) Find_GetProc: inc ecx ; Increment the counter (we start from 1) ; lodsd instruction will follow the pointer specified by the ESI register and set result in the EAX, this means that after the lodsd ; instruction we will have the offset of the current name function in EAX. ; the instruction will also increment the esi register value with 4, so ESI will already point to next function name offset lodsd add eax, ebx ; Get function name (offset + base a) cmp dword [eax], 0x50746547 ; PteG ->search first 4 bytes of the string GetProcAddre in little-endian format jnz Find_GetProc cmp dword [eax + 0x4], 0x41636f72 ; Acor ->other 4 bytes jnz Find_GetProc cmp dword [eax + 0x8], 0x65726464 ; erdd ->other 4 bytes. At this point even without checking the last 2 bytes (ss) of the function name we assume it is GetProcAddress jnz Find_GetProc dec ecx ; we start counting from 1 but the adrress index start from 0 so we need to decrement ECX ; now ECX points to the array index of AddressOfNames and we can obtain the ordinal value in this way: AddressOfNameOrdinals[ecx] = ordinal